Mercurial > hg > nginx-tests
comparison stream_ssl_verify_client.t @ 1114:c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Additionally, this includes test for ssl_trusted_certificate.
author | Sergey Kandaurov <pluknet@nginx.com> |
---|---|
date | Thu, 19 Jan 2017 16:59:20 +0300 |
parents | b3d5a2f8a00b |
children | 8ef51dbb5d69 |
comparison
equal
deleted
inserted
replaced
1113:41690e007ad8 | 1114:c5df4742ad40 |
---|---|
45 | 45 |
46 events { | 46 events { |
47 } | 47 } |
48 | 48 |
49 stream { | 49 stream { |
50 ssl_certificate_key localhost.key; | 50 log_format status $status; |
51 ssl_certificate localhost.crt; | |
52 | 51 |
53 ssl_verify_client optional_no_ca; | 52 ssl_certificate_key 1.example.com.key; |
53 ssl_certificate 1.example.com.crt; | |
54 | 54 |
55 server { | 55 server { |
56 listen 127.0.0.1:8080 ssl; | 56 listen 127.0.0.1:8080; |
57 return $ssl_client_verify; | 57 return $ssl_client_verify:$ssl_client_cert; |
58 | 58 |
59 ssl_client_certificate client.crt; | 59 ssl_verify_client on; |
60 ssl_client_certificate 2.example.com.crt; | |
60 } | 61 } |
61 | 62 |
62 server { | 63 server { |
63 listen 127.0.0.1:8081 ssl; | 64 listen 127.0.0.1:8081 ssl; |
64 return $ssl_client_verify; | 65 return $ssl_client_verify:$ssl_client_cert; |
66 | |
67 ssl_verify_client on; | |
68 ssl_client_certificate 2.example.com.crt; | |
69 | |
70 access_log %%TESTDIR%%/status.log status; | |
71 } | |
72 | |
73 server { | |
74 listen 127.0.0.1:8082 ssl; | |
75 return $ssl_client_verify:$ssl_client_cert; | |
76 | |
77 ssl_verify_client optional; | |
78 ssl_client_certificate 2.example.com.crt; | |
79 ssl_trusted_certificate 3.example.com.crt; | |
80 } | |
81 | |
82 server { | |
83 listen 127.0.0.1:8083 ssl; | |
84 return $ssl_client_verify:$ssl_client_cert; | |
85 | |
86 ssl_verify_client optional_no_ca; | |
87 ssl_client_certificate 2.example.com.crt; | |
65 } | 88 } |
66 } | 89 } |
67 | 90 |
68 EOF | 91 EOF |
69 | |
70 my $d = $t->testdir(); | |
71 | 92 |
72 $t->write_file('openssl.conf', <<EOF); | 93 $t->write_file('openssl.conf', <<EOF); |
73 [ req ] | 94 [ req ] |
74 default_bits = 2048 | 95 default_bits = 2048 |
75 encrypt_key = no | 96 encrypt_key = no |
76 distinguished_name = req_distinguished_name | 97 distinguished_name = req_distinguished_name |
77 [ req_distinguished_name ] | 98 [ req_distinguished_name ] |
78 EOF | 99 EOF |
79 | 100 |
80 foreach my $name ('localhost', 'client') { | 101 my $d = $t->testdir(); |
102 | |
103 foreach my $name ('1.example.com', '2.example.com', '3.example.com') { | |
81 system('openssl req -x509 -new ' | 104 system('openssl req -x509 -new ' |
82 . "-config '$d/openssl.conf' -subj '/CN=$name/' " | 105 . "-config '$d/openssl.conf' -subj '/CN=$name/' " |
83 . "-out '$d/$name.crt' -keyout '$d/$name.key' " | 106 . "-out '$d/$name.crt' -keyout '$d/$name.key' " |
84 . ">>$d/openssl.out 2>&1") == 0 | 107 . ">>$d/openssl.out 2>&1") == 0 |
85 or die "Can't create certificate for $name: $!\n"; | 108 or die "Can't create certificate for $name: $!\n"; |
86 } | 109 } |
87 | 110 |
88 my $ctx = Net::SSLeay::CTX_new() or die("Failed to create SSL_CTX $!"); | 111 $t->try_run('no ssl_verify_client')->plan(10); |
89 Net::SSLeay::set_cert_and_key($ctx, "$d/client.crt", "$d/client.key") or die; | |
90 | |
91 $t->try_run('no ssl_verify_client')->plan(2); | |
92 | 112 |
93 ############################################################################### | 113 ############################################################################### |
94 | 114 |
95 my ($s, $ssl) = get_ssl_socket(port(8080)); | 115 TODO: { |
96 is(Net::SSLeay::read($ssl), 'SUCCESS', 'success'); | 116 todo_skip 'leaves coredump', 1 unless $t->has_version('1.11.9'); |
97 | 117 |
98 ($s, $ssl) = get_ssl_socket(port(8081)); | 118 is(stream()->read(), ':', 'plain connection'); |
99 like(Net::SSLeay::read($ssl), qr/FAILED/, 'failed'); | 119 |
120 } | |
121 | |
122 TODO: { | |
123 local $TODO = 'fails on one-pass ngx_ssl_handshake' | |
124 unless $t->has_version('1.11.9'); | |
125 | |
126 is(get(8081), '', 'no cert'); | |
127 is(get(8082, '1.example.com'), '', 'bad optional cert'); | |
128 | |
129 } | |
130 | |
131 is(get(8082), 'NONE:', 'no optional cert'); | |
132 like(get(8083, '1.example.com'), qr/FAILED.*BEGIN/, 'bad optional_no_ca cert'); | |
133 | |
134 like(get(8081, '2.example.com'), qr/SUCCESS.*BEGIN/, 'good cert'); | |
135 like(get(8082, '2.example.com'), qr/SUCCESS.*BEGIN/, 'good cert optional'); | |
136 like(get(8082, '3.example.com'), qr/SUCCESS.*BEGIN/, 'good cert trusted'); | |
137 | |
138 SKIP: { | |
139 skip 'Net::SSLeay version >= 1.36 required', 1 if $Net::SSLeay::VERSION < 1.36; | |
140 | |
141 my $ca = join ' ', get(8082, '3.example.com'); | |
142 is($ca, '/CN=2.example.com', 'no trusted sent'); | |
143 | |
144 } | |
145 | |
146 TODO: { | |
147 local $TODO = 'not yet, see above' unless $t->has_version('1.11.9'); | |
148 | |
149 $t->stop(); | |
150 | |
151 is($t->read_file('status.log'), "500\n200\n", 'log'); | |
152 | |
153 } | |
100 | 154 |
101 ############################################################################### | 155 ############################################################################### |
102 | 156 |
103 sub get_ssl_socket { | 157 sub get { |
104 my ($port) = @_; | 158 my ($port, $cert) = @_; |
105 | 159 |
106 my $dest_ip = inet_aton('127.0.0.1'); | 160 my $dest_ip = inet_aton('127.0.0.1'); |
107 my $dest_serv_params = sockaddr_in($port, $dest_ip); | 161 my $dest_serv_params = sockaddr_in(port($port), $dest_ip); |
108 | 162 |
109 socket(my $s, &AF_INET, &SOCK_STREAM, 0) or die "socket: $!"; | 163 socket(my $s, &AF_INET, &SOCK_STREAM, 0) or die "socket: $!"; |
110 connect($s, $dest_serv_params) or die "connect: $!"; | 164 connect($s, $dest_serv_params) or die "connect: $!"; |
111 | 165 |
166 my $ctx = Net::SSLeay::CTX_new() or die("Failed to create SSL_CTX $!"); | |
167 Net::SSLeay::set_cert_and_key($ctx, "$d/$cert.crt", "$d/$cert.key") | |
168 or die if $cert; | |
112 my $ssl = Net::SSLeay::new($ctx) or die("Failed to create SSL $!"); | 169 my $ssl = Net::SSLeay::new($ctx) or die("Failed to create SSL $!"); |
113 Net::SSLeay::set_fd($ssl, fileno($s)); | 170 Net::SSLeay::set_fd($ssl, fileno($s)); |
114 Net::SSLeay::connect($ssl) or die("ssl connect"); | 171 Net::SSLeay::connect($ssl) or die("ssl connect"); |
115 return ($s, $ssl); | 172 |
173 my $buf = Net::SSLeay::read($ssl); | |
174 log_in($buf); | |
175 return $buf unless wantarray(); | |
176 | |
177 my $list = Net::SSLeay::get_client_CA_list($ssl); | |
178 my @names; | |
179 for my $i (0 .. Net::SSLeay::sk_X509_NAME_num($list) - 1) { | |
180 my $name = Net::SSLeay::sk_X509_NAME_value($list, $i); | |
181 push @names, Net::SSLeay::X509_NAME_oneline($name); | |
182 } | |
183 return @names; | |
116 } | 184 } |
117 | 185 |
118 ############################################################################### | 186 ############################################################################### |